Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

bossanovalithium writes "Gary McKinnon, whose tribulations we have followed for several years now, is the UK hacker trying to escape extradition to the US. It appears he is expected to foot the bill for the US Government patching holes his breaching uncovered — to the tune of $700,000. It's not really the norm for someone to pay for exploits to be patched — damages fixed, yes, but this is a very different thing." The article paraphrases Eugene Spafford as saying that the victim of a cybercrime should not take the blame. "If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door." Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?

If I tell everyone that some houses have a big fucking gap where a door should be, am I responsible for not installing one?

Better analogy would be, that if you trespassed into someone's house, then got caught, should you be responsible for the amount they paid to have someone come in and check the place out and make sure you didn't damage anything? And the answer is...well, maybe.

Its like he noticed your house had ACME InsecureLocks and exploited the ACME InsecureLock to get in. Then told someone "hey, you know his house uses ACME InsecureLocks?"

Your house is no more or less secure than when he started. The only difference is, now people know that you bought locks that were not worth shit. How should that make him liable to buy you "TopBrand SecureLocks"? He didn't buy and install the ACME InsecureLocks, he just pointed out what everyone else could have found out if they just walked up to your front door and looked.

They're not arguing he's not responsable for the crimes he committed. They're arguing that what the US wants him to pay is the equivalent of a burglar robbing a house by walking through the back door that has no lock, then expecting the burglar to PAY for installing a lock.

Of course, at the expense it's probably also like all he stole was a postage stamp, and not a rare one either.

I dont really agree that he should have to pay to fix the holes, but if he took data, which is essentialy property he should be held accountable.

No. Data is not property. It's data. It's not even copyrightable.

Again we need to stop blaming the victim. Just because I leave my car unlocked does not give you the right to steal it or the property inside it. Its still theft. Just like a store. They dont lock up all their merchandise, so that means you should be able to just take it without paying for it? No of course not, its still stealing.

In this case, it's like someone walking down the street with a large hole mesh bag and getting mad cause your crap fell out on the sidewalk and someone else picked it up... then telling the person who picked up your crap to buy you a new bag. Cause you were too lazy or stupid to use a solid bag - or at least one with small enough holes to keep your crap in it.

"If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door." Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?

More like being forced to buy a lock when he pointed out that there wasn't one to begin with. Whoever left the holes in the software should have to pay that 700k. If the Ubanti Motor Company* sells a car with defective brakes and the brakes fail and cause an accident, the Ubanti Motor Company will pay the damages, not some mechanic that demonstrated the brakes' fault in a different Ubanti Motors vehicle.

Even assuming this was a sane ruling (its not like he modified the existing code to create the holes, just exploited them, why is it his responsibility to fix the software?), and that he actually discovered the holes himself (and didn't just use known exploits or figure out a password), he would have to be given access to the source code, which may not be open or belong to the people he "hacked". Without access to the source, I believe most holes are found by using fuzzing, which would not give the "hacker"

If I find a hole in my Government's IT security, I'll keep my mouth shut and let the government hear about it from the Chinese or the Iranians or the S. Koreans or...anyone but me because they'll send me to jail and make me pay.

The original poster tossed South Korea (which Washington considers to be one of its strongest military allies) with Iran ( which Washington considers part of the so-called "Axis of Evil") and China (which Washington considers one of its strongest rivals), it is unlikely that he knows the difference.

Sadly, the modern American brain contains a short circuit that associates any mention of "Korea" with images of "puppet sex" [imdb.com]. Adding "South" to "Korea" doesn't overcome this effect. It's all Kim Jong Il territory to US. Amuhrrikuh, fuck yeah.

It's not my fault! It's yours !
No responsibility, no accountability...
Whoever designed this should be sued and bring in the hacker as a witness...
If I build something and you can get around it, I WILL be paying you
to show me how you did it and PLEAD with you to help me out....
Trying to cover my ass for my stupidity, well, that requires an act of ignorance.

I get really annoyed that people try to discourage hackers from their own country that might be somewhat loyal. I'd recommend encouraging and paying them.

The analogy in the summary is flawed... It's more like suppose there are hundreds of people trying to break into your house every minute--Knocking at the door, twisting the knob, slamming against the door trying to gauge it's strength,...

Now one kids comes up and notices that you have an open basement window. None of the other attackers have noticed it yet.

At this point he has a choice to make. Does he let you know that you screwed up, does he walk away, or does he try to sell the info to one of the guys hanging around on your front porch?

What could you do to encourage this kid to make the correct decision?

Out of all the people in the world, you are unlikely to stop them all by punishing them. You're only likely to influence the decisions of the few that are likely to want to help (and make them less likely). That's the only effect this crap has.

Unfortunately this is exactly why trying to do something ice for someone is ridiculous, and that the last die hard movie, based on true story within the government about how lax the system is, and that when this was brought to the attention of certain individuals, they were sentenced for breach when they showed they broke easily into one organization's file system...I tend to agree that it seems the government is not making any friends, and setting precedent that even people within the US who would want to

I wouldn't report any kind of crime or safety hazard if this becomes a regular tactic.

McKinnon didn't "report any kind of crime or safety hazard", and there is no reason to expect that, even if the approach the government used to here to assess damages from a violation of the law were to be accepted in that role that it would somehow affect people who "report any kind of crime or safety hazard".

I wouldn't report any kind of crime or safety hazard if this becomes a regular tactic.

Good. Perhaps this will teach people that just because you found some security holes, all is not forgiven for breaking into government computer systems without the authority to do so. The government already pays people to find security holes. They don't pay you. Perhaps this will teach some people that if you don't want to pay the fines for breaking the law, then don't break the law!

Also, you can say, "But this guy is obviously crazy. He's trying to find stuff about aliens." So, basically, as long

This is exactly like charging for a lock that was never there. Another analogy -- it is like forcing the thief to pay for the security system that the store owner now feels that he has to buy to prevent future actions.

If he damaged a system by hacking in, that's one thing. He should pay for that. But it's hardly his fault that the holes were there in the first place and he shouldn't be held responsible for funding the software improvements to prevent such actions in the future.

I had someone repeatedly break into my garage and take my gas cans for the lawnmowers and root through the cars for money. Eventually, they took an expensive looking but stock car radio. The time that happened, my then girlfriend walked into the garage to go to work and startled the intruder. He knocked her down and ran but wasn't afraid to come back.

I eventually placed some hidden cameras in the garage and back yard with a dummy camera on the side of the house in plain sight. It took the guy about 5 days to realize the visible camera was a dummy and I got his picture including him rooting through everything and taking crap. I then placed a piece of a set of antique lamps made of sterling silver in the garage but locked them in a cabinet with a window. Anyways, those lamps were valuable enough to make his repeated breaking in worthy of a felony on the crap I could prove he stole alone.

The prosecutor advocated that the guy pay for the security system and cameras that I had to install because of his actions. The judge agreed and order it as part of his restitution. Of course he couldn't pay while sitting in jail, but as a term of his parole, he had to make payments to an account until the costs were paid off. As I understood it, I could have sued him for the costs but doing it this way made it a condition of his freedom which meant I was more likely to get paid.

that would be paying for the materials necessary to catch the theif. Costs incurred while investigating someone breaking into your house.

This situation is more akin to you catching him and then the judge ordering him to pay for a new steel reinforced garage door with a retinal scanner for access.

If they were trying to get the hacker to pay for the expense of having caught him I might buy that. If, say, they spent a bunch of money on a new server and network setup to act as a honey pot to catch the hacker

It's an interesting story - but the one thing that sets it aside is that the cameras were fundamental in the charging him for his crime, possibly even the capture.

In the full article, it doesn't say what the 700,000 dollars are for. Its a little sketchy on what can be claimed as the "Damage Caused" and whether or not the money is for the systems (and security checks) to be implemented after his breach.

Whereas you had to set up a Camera to catch the criminal, the US Government caught their criminal and now want to put up the camera. Two different scenarios, which can appear to be so similar that distinguishing who should pay what gets a little fuzzy.

Peter Sommer (the expert refered to in the article), is basically saying that the security should have already have been implemented. In your case, you can argue that you shouldn't require cameras to be set up in your garage as a basic security measure. Closing and locking doors and windows should be enough.

Basically the Government did not have a firewall or any security systems in place at all to stop someone from Remoting in. Thats like leaving your door open, and expecting someone not to enter without permission. Someone walks inside, does that constitute as breaking and entering?

The "Hacker" used a popular program used for technical support to log into a computer. My ISP can't even do that, and all because I have 60 dollars Linksys router at home (not even a firewall), which BY DEFAULT blocks any incoming traffic on those ports.

That is like placing a lock on your door, which is pretty standard. Which the government didn't do, and is now trying to claim almost 3 quarters of a million dollars for.

Besides, to your "point", the law is on my side [wikipedia.org]. I have a right to be secure in my possessions and person.

I will not shoot someone on sight for trespassing. But I will shoot someone who routinely (or even once) burglarizes my home, or assaulted my wife or family. Given the very low rate of catching people for doing those kinds of things, there is very little incentive for criminals to not run rampant, unless there is the risk of them getting hurt. Why do you think that all mass [wikipedia.org] shootings [wikipedia.org] in recent memory [wikipedia.org] have happened in "firearm free" zones?

This is security through obscurity, and it's frightening that a government entity relies upon it enough to fine someone for publicly declaring a security flaw. Should Microsoft, Apple, or the Linux Foundation pay a fine every time they patch a security bug, thereby describing how to utilize that bug in all unpatched systems?

I think not, I think that's ridiculous. But that quickly brings us to the argument that all software that we rely on should be open source so that we can modify it to fix it ourselves... or the corollary, that all software we rely on should be closed source so it's difficult to find bugs (which is kind of an untrue assumption. I'd rather be in control of how I keep private what I'm trying to keep private. If I don't have control over the means of privacy, I have no privacy at all... I guess I should go delete my FB account).

Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?

Rather like the lock company demanding he reimburse them the cost of redesigning their badly designed locks?

From what I can find of his "hacking" abilities on the black vault [theblackvault.com]:

Somewhat frustrated by the common avenues of UFO research, Gary began some basic computer hacking techniques from his girlfriend's Aunt's house in the mid-late 1990s. Soon he began using a system of scanning for blank administrator passwords on supposedly secure networks...

Sounds more like the lock company distributed a working lock to many U.S. government entities and they put the locks on their sensitive possessions but some individuals simply forgot to close the clasp and had no policy for walking around double checking locks. If he did do $700k of damage and bring the system to a halt, he should pay for it. If they are charging him $700k for a script that scans for blank passwords on accounts on their systems and drop it in a chron job, I'll gladly fulfill the work order for half that price!

Rather like the lock company demanding he reimburse them the cost of redesigning their badly designed locks?

With or without proof that a) they actually changed the lock and b) whatever changes they made were relevent to the defect in question. If they discovered something else wrong in the process or made some unrelated changes isn't that their problem.

I like the lock analogy, but I think it would be more appropriate to say that they are charging him for discovering that the bolts that hold the locked door shut were missing. He simply pointed it out...

"Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?"

No, it's more like making him pay for new locks because he wrote a lockpicking book. The flaws existed, and he exposed them, but it's not his fault that people might use them to perpetrate crimes. If someone tells me how to crack a safe, I'd generally blame the safe's maker for designing that fault... not the person who realized the problem. Eh?

The real crime is exposing sensitive data through the internet. If a hacker shows his concern and makes it clear that the government is exposing sensitive data, the criminal is the government, not the hacker.

The funny thing is that the real crimes are often not legally the real crimes. In the Netherlands, it is not a crime to have a system full of sensitive data that is hardly secured. But it IS a crime for anyone to expose this insecurity. The Dutch government has created a special "theft of processor time

Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?

No, not really; I think it's a little more complex than that. As far as I can tell, to use your analogy, McKinnon basically rattled the locks on the door, and found that they were unlocked. He then entered, rifled through the underwear drawers hoping to find something sexy (UFO data), and took some photos of what he found (copied files). He then left again leaving things mostly undistubed except for

He should counter-sue the US gov for putting an insufficiently protected system on the internet in the first place. Normally that wouldnt be sensible as the damage cant be proved, but in this case it can by the governments own reckoning: $700k.

This is where dogmatic views and analogies really contrast with technological reality. Those security holes would have existed whether or not he abused them in some misguided and naive attempt at finding info about UFOs. This is clearly a very intelligent person whose skills are of immense value. He just wasn't mature enough to realize the consequences and he certainly wasn't paranoid enough to keep his mouth shut.

It makes no sense whatsoever to lock him up with dumbasses whose greatest accomplishment in life is learning that beating their girlfriends is a bad thing or that guns and drugs don't mix well. What a sad waste of talent.

No, instead, I say: let him pay that $700000, but let him do it in the form of consulting. And fire the idiots who made those security holes in the first place.

This is clearly a very intelligent person whose skills are of immense value.

From Wikipedia: McKinnon claimed that he was able to get into the military's networks simply by using a Perl script that searched for blank passwords; in other words his report suggests that there were computers on these networks with the default passwords active.

Note that this is never ever reported in news articles. It is always that he 'hacked into' the computers. I think most people would agree that trying blank passwords doesn't really count as hacking, and most people have probably done it at one point in their lives. It is completely ridiculous that he could be extradited over this.

I remember years ago debating the value of a login banner. Granted, having a message that says "for authorized use only" won't *deter* anyone, it does make this sort of legal weaseling more of a moot point. Instead of proving that he was intentionally out to cause damage, or that he wasn't just mindlessly poking around, they just would have had to prove he wasn't an authorized user.

By his lawyers defense, having any open port exposed to the internet on any machine absolves the perp of responsibility.

Agreed, it is like trespassing if they don't lock the door. Now do you think anyone would ever get charged on multiple offenses be in fear of extradition and have to pay many hundreds of thousands, possibly more than a million dollars for trespassing?

There is a difference between breaking and entering and trespassing. Opening a gate doesn't constitute trespassing neither does lifting a latch. To charge someone on break and enter you need to have adequately protected the house. This generally means a locked

... but I think I actually agree with the majority of the posters here. Glad I was sitting down!

He should be held liable for his actions, and for the crimes he committed - that includes breaking into government computer systems and accessing classified information. But it does seem silly charging him with the costs incurred by the government when they worked on improving their security post-breach. Really, they should have done those "security checks" long before - and if the system had been competently adm

Q: If a burglar climbs through an open window that would cost the homeowner $700,000 to close, does he owe the homeowner $700,000?

A: Of course not.

How much would the US Government have had to spend to discover the security holes Mr. McKinnon exploited? While he shouldn't be paid that money, that theoretical number should count against any "damages" he caused.

It's probable that most of the "damages" being pinned on the guy are inflated government-contractor consulting rates, which (in this taxpayer's opinio

The scope of available restitution is defined by statute. The only limitations on statutory restitution are imposed by state and federal constitutions.

Contrary to some of the nonsense spouted here, in California (in re Jeremiah F.), a burglar may be ordered to pay for the cost of a burglar alarm in a (previously unalarmed) house that he burglarized and the Montana Supreme Court has authorized restitution for enhanced security (State v. Th

"The US authorities claim he deleted critical files from operating systems, which shut down the US Army's Military District of Washington network of 2,000 computers for 24 hours, as well as deleting US Navy Weapons logs, rendering a naval base's network of 300 computers inoperable after the September 11th terrorist attacks. They claim the cost of tracking and correcting the problems he caused was $700,000.[15]"

So I don't see where the idea that the claim the $700,000 is merely to secure previously unsecured systems originates from.

If you break into a networkof military computers, it seems reasonable that the owners of the computers would feel that a complete audit of the network to asses damages would be necessary.

The holes aren't his "damage". The holes were already there. I don't care if a whole wall was missing, if an individual walks into a building and does damage or steals, the damage or stealing is what they are responsible for. Building the wall or replacing the lock is not their responsibility at all.

"Great, now everyone knows we have the holes and we actually have to fix them. Everything was fine when people just assumed we had a secure system. Now this guy goes and rains on our parade. Let's try to get him to pay for fixing them."

Well, it sort of is like charging him to buy the lock. In this case, the lock was missing, unlocked, or broken; however, you're right in saying that doesn't give him the right to just walk in.

I'm not sure if he should be paying for the patching of the systems, but he should definitely pay for any damages and probably restitution. The analogy here would be "don't charge him to buy a lock, but make him pay for the TV he took and for the crime he committed."

I think it would be more accurately analogous to someone picking a business's front door lock with a paperclip, after which he might or might not have told others how to pick that type of lock with a paperclip. Then, they expect him to replace the front, back, and side door locks because now everyone knows how to break into the business. Pretty absurd inasmuch as the business had cheap lock to begin with that should have been replaced years ago, not so absurd inasmuch as the risk of those locks getting pi

But he isn't responsible for the security holes that existed. He might have made them more widely known but he did not create them. He should be punished for the act of illegaly hacking federal computer systems, but the flaws are not his responsibility unless he created them himself.

But the flaws existed before he did anything. The example in the summary isn't exactly fair either, really they are trying to make him pay for a lock after he announced to the world that there isn't one. The thinking behind this logic is obviously "the security hole wasn't a problem until he announced it to the world". If you bought a new car and the doors didn't lock, would you just say to yourself "oh well, as long as no one knows about it"? Of course not, you'd want the locks fixed as soon as possibl

No, it is not simply like charging him to buy the lock that had been missing. If you
entered someone's home uninvited and deliberately or accidentally caused substantial cost
and damage to the homeowner, you should be liable for your actions.

I know, right?

Like last week, these kids walked uninvited across my lawn, and caused substantial damage to a number of blades of grass!
And then to add insult to injury, their damned irresponsible parents just couldn't grasp their liability to pony up
for the slab, four walls, roof, and two garage doors to "repair" the space their crotch-fruit just casually trespassed
across!

Sure, some scofflaws would point out that I didn't have a whole garage there to start with, so why should
they have to pay for the rest? But hey, I had the good solid dirt underneath a future-garage, at least.

Your analogy changes though if it's a greased naked man who squeezed through a skylight on the roof and is looking through your sock drawer at 2 am. Now perhaps it is not the mans fault that you have a skylight, and that other people who are willing can do the same thing he did.. but you can see how you might want him to pay to keep others from doing the same thing.

Your analogy changes though if it's a greased naked man who squeezed through a skylight on the roof and is looking through your sock drawer at 2 am. Now perhaps it is not the mans fault that you have a skylight, and that other people who are willing can do the same thing he did.. but you can see how you might want him to pay to keep others from doing the same thing.

You might want it, but there is nothing anywhere in any code of law that makes *him* responsible for putting bars on your skylight. Yes, you'll do it, and your insurer might even require it if you make a claim for the actual damages he caused (maybe he got grease on a priceless pair of silk stockings that used to belong to Marilyn Monroe?). But there's simply no precedent or code that makes YOUR basic security HIS financial responsibility.

This is crazy. It's like picking a lock without damaging it and then stealing jewlery out of a sock drawer and then being forced by the court to buy the victim a fence, guard dog, improved lock and safe to keep their jewelry in to prevent future crimes.

The one exception to this analogy would be if the hacker published the security holes. In which case you could argue it's like stealing a key and giving away copies--in which case he could reasonably be forced to pay for re-keying the locks he 'broke'.

The one exception to this analogy would be if the hacker published the security holes. In which case you could argue it's like stealing a key and giving away copies--in which case he could reasonably be forced to pay for re-keying the locks he 'broke'.

That doesn't seem to be the issue in this case. TFA quotes an expert witness who was also an insurance adjuster for technology systems, who says that the "damages" include basic IDS and firewall systems that should have been in place to begin with. If he'd hacked *through* such systems, and published the hacks, rendering the systems useless, and then they had to pay to fix the vulnerabilities or replace the systems, you could maybe make the case. That's not the issue here, though.

No, it's not like "entering someone's home." It's nowhere near that. Nothing at all.I could excuse this reckless stupidity on the Dumbtube (aka TV) but this is Slashdot. A technical website. People know what we're talking about, and those retarded, idiotic comparisons do not explain or enlighten, they just dumb the whole thing down. And in your case, they are completely wrong.Besides, he didn't cause substantial damage. He didn't break anything. Hey, what if by posting this stupid message of yours you cause

If he's the one I think he is, he was looking around for evidence of aliens, discovered that the administrator account had no password, went in, had a look round, found no aliens and left a note telling them they needed to set a password on their computer.

Okay, so I can agree with paying for a broken door. Furthermore, I can say that there could be real costs involved in doing security checks to see what damage might have been done - so I'd be okay with that argument. I think they need to draw the line there, between "money spent checking what damage was done" and "money spent making sure someone else can't do the same thing".

Insofar as how he did it would be revealed at least in part by the public record of the legal case against McKinnon, and insofar as h

However what is at issue here is what if you walk up to your neighbor and say "Hey don't you think maybe you should have a door on that house? Someone could get in you know..." He then sends you the bill for the door, lock, security bars, and exterior gate.

Such laws always come with boundaries. If you walk through his front door, and "trespass", to tel him that, then yes you get the bill. If you manage to tell him without "trespassing", then you don't get the bill.

If you ping a server, it returns a version number that you know is insecure, you don't get the bill. If you login with the default password, you do get the bill. Because logging in is trespassing if you're not authorized to login.

I can't remember the quote but it basically says that locks are for keeping honest people honest, locks don't prevent criminals from getting through in most cases.

I'm tempted to install bolt locks on the doors at my house but there are too many large windows and a huge patio door that a thief could easily break. Adding bolt locks wouldn't actually add to security.

Did he steal anything? Did he cause any actual damage, not counting the fake damage that is the cost of securing the whole damn thing in the first place? No and no. Stop with the analogies, if you can't argue without an analogy, that means you're probably wrong.